b'\x0cFY 2006 OFFICE OF INSPECTOR GENERAL\nFISMA REVIEW OF GSA\xe2\x80\x99S INFORMATION\n  TECHNOLOGY SECURITY PROGRAM\n  REPORT NUMBER A060123/O/T/F06018\n\n          September 8, 2006\n\x0c\x0c                                     FY 2006 OFFICE OF INSPECTOR GENERAL\n                                     FISMA REVIEW OF GSA\xe2\x80\x99S INFORMATION\n                                       TECHNOLOGY SECURITY PROGRAM\n                                       REPORT NUMBER A060123/O/T/F06018\n\n                                                     TABLE OF CONTENTS\n\n\nEXECUTIVE SUMMARY ............................................................................................................. i\n\nINTRODUCTION .......................................................................................................................... 1\n   Objectives, Scope, and Methodology ......................................................................................... 1\n\nRESULTS OF AUDIT.................................................................................................................... 3\n   Standardized IT System Security Performance Goals and Measures Are Not In\n   Place To Establish Accountability in GSA\'s IT Security Program............................................. 3\n   Additions and Modifications to GSA\'s IT Security Policy and Procedures Are\n   Needed To Provide Program Accountability.............................................................................. 6\n   GSA Would Benefit From A More Proactive Approach for Addressing\n   Emerging Risks........................................................................................................................... 8\nRECOMMENDATIONS.............................................................................................................. 10\n\nMANAGEMENT COMMENTS.................................................................................................. 11\n\nINTERNAL CONTROLS ............................................................................................................ 11\n                                                              APPENDICES\n\nGSA, OFFICE OF INSPECTOR GENERAL RESPONSES TO THE OFFICE OF\nMANAGEMENT AND BUDGET\xe2\x80\x99S FISMA QUESTIONS..................................................... A-1\n\nTEN SYSTEMS REVIEWED BY THE OFFICE OF INSPECTOR GENERAL IN\n2006............................................................................................................................................. B-1\n\nSTATUS OF CONTRACTOR BACKGROUND INVESTIGATIONS FOR\nTEN SYSTEMS.......................................................................................................................... C-1\n\nGSA-CIO\xe2\x80\x99S RESPONSE TO DRAFT AUDIT REPORT ......................................................... D-1\n\nREPORT DISTRIBUTION .........................................................................................................E-1\n\x0c                        FY 2006 OFFICE OF INSPECTOR GENERAL\n                        FISMA REVIEW OF GSA\xe2\x80\x99S INFORMATION\n                          TECHNOLOGY SECURITY PROGRAM\n                          REPORT NUMBER A060123/O/T/F06018\n\n                                  EXECUTIVE SUMMARY\n\nPurpose\n\nThe objective of this audit was to assess the effectiveness of the General Services\nAdministration\'s (GSA\'s) Information Technology (IT) Security Program and practices for select\nsystems in meeting Federal Information Security Management Act of 2002 (FISMA)\nrequirements. Our response to specific questions outlined in the Office of Management and\nBudget (OMB) Fiscal Year (FY) 2006 reporting guidance for FISMA is included in Appendix A.\nThis audit report is provided for inclusion as an appendix in GSA\xe2\x80\x99s FY 2006 FISMA report and\nFY 2008 budget submission to the OMB.\n\nBackground\n\nFISMA provides a framework for securing Federal information systems, including: (1) ensuring\nthe effectiveness of information security controls over information resources; (2) development\nand maintenance of minimum controls required to protect Federal information and information\nsystems; and (3) a mechanism for improved oversight of agency information security programs.\nThis audit report presents the results of the Inspector General\xe2\x80\x99s FY 2006 independent evaluation\nof the GSA agency-wide IT Security Program and controls for select systems as required by\nFISMA. Results of prior audits of GSA\'s IT Security Program have been issued annually since\n2001 and included recommendations to address program weaknesses in 2004 and 2005.\n\nResults-in-Brief\n\nEfforts to better secure GSA\xe2\x80\x99s systems continue, but system security officials do not consistently\nensure effective implementation of GSA\xe2\x80\x99s IT Security Policy due, in part, to a lack of\naccountability and the need for program policies and procedures for measuring individual\nperformance. In our vulnerability scanning of systems reviewed for FISMA, sample systems\nhave shown improvements as evidenced by a decrease in the number of critical vulnerabilities\nwe identified from 140 in 2005 to 19 in 2006. While the Senior Agency Information Security\nOfficer (SAISO) has taken steps over the last year to address previously reported weaknesses, we\ncontinue to find instances where Information System Security Officers (ISSOs) and Information\nSystem Security Managers (ISSMs) did not ensure that systems were properly secured. We\nconcluded that effective implementation of GSA\'s IT Security Program at the system level is\ndependent upon improved accountability for persons with key IT security responsibilities.\nFurther, there is a need for improved policy and procedures to establish standardized\nperformance goals and measures for associates and contractors performing ISSO and ISSM\nresponsibilities, since these individuals do not typically report directly to the Office of the GSA\nChief Information Officer (GSA-OCIO). Accountability in the IT Security Program also\ndepends on periodic assessments of performance goal accomplishment for each ISSO and ISSM,\nand the results of those assessments being provided to the appropriate ISSO, ISSM, and\nAuthorizing Official (AO). Finally, an analysis of technical security controls for web\napplications and Voice over Internet Protocol (VoIP) implementations found that GSA\xe2\x80\x99s IT\n                                                  i\n\x0cSecurity Program would also benefit from a more proactive approach to addressing emerging IT\nsecurity risks. Appendix A contains our responses to specific FISMA questions, as requested by\nOMB.\n\nRecommendations\n\nTo strengthen GSA\'s IT Security Program and improve the security of information technology\nassets, we recommend that the GSA, Chief Information Officer take actions to:\n\n   1. Implement improved accountability for associates and contractors supporting GSA\'s IT\n      Security Program by taking actions to:\n      a. Engage the Administrator\xe2\x80\x99s support for developing standardized performance goals\n          and measures for Information System Security Officers and Information System\n          Security Managers across GSA Service, Staff, and Regional Offices, with periodic\n          assessments of performance by the Senior Agency Information System Officer for\n          use in performance evaluations.\n      b. Require that contracts and task orders for Information System Security Officer and\n          Information System Security Manager services, in support of GSA systems, include\n          performance requirements similar to goals and measures being established for GSA\n          associates in these roles.\n      c. Collaborate with the GSA Personnel Security Requirements Division to identify and\n          implement procedures and controls that effectively ensure prompt initiation of\n          contractor background investigations for individuals accessing GSA systems and\n          data.\n\n   2. Strengthen GSA\'s IT Security Policy and procedures in the following areas:\n      a. Develop guidance and directives necessary to establish and monitor IT security\n           performance goals and measures for Information System Security Officers and\n           Information System Security Managers.\n      b. Require Senior Agency Information Security Officer approval of Information\n           System Security Officer and Information System Security Manager assignments.\n      c. Add the roles of Contracting Officer and Contracting Officer\xe2\x80\x99s Technical\n           Representative as persons with IT security responsibilities, and clarify the\n           responsibilities of systems security officials in the background investigation process.\n      d. Segregate IT security roles and responsibilities by requiring that one individual\n           cannot be both the Information System Security Officer and Information System\n           Security Manager for a single system.\n      e. Clarify the Contractor Operations section of the policy to require that task orders, as\n           well as contracts, include appropriate security requirements.\n\n   3. Ensure that the Information Technology Architecture Planning Committee, IT Security\n      Subcommittee regularly takes actions to address risks with emerging technologies.\n\n   4. Develop and implement technical/hardening guides for securing web applications and\n      Voice over Internet Protocol.\n\nManagement Comments\n\nThe GSA-CIO concurred with the findings and recommendations outlined in this report.\n                                            ii\n\x0c                                             INTRODUCTION\n\nThe Federal Information Security Management Act of 2002 (FISMA) provides a framework for\nsecuring Federal information systems including: (1) ensuring the effectiveness of information\nsecurity controls over information resources; (2) development and maintenance of minimum\ncontrols required to protect Federal information and information systems; and (3) a mechanism\nfor improved oversight of agency information security programs. This audit report presents the\nresults of the Inspector General\xe2\x80\x99s Fiscal Year (FY) 2006 independent evaluation of the General\nServices Administration\xe2\x80\x99s (GSA) agency-wide Information Technology (IT) Security Program\nand controls for select systems, as required by FISMA. Results of prior audits of GSA\'s IT\nSecurity Program have been issued annually since 2001 and included recommendations to\naddress program weaknesses in 2004 and 2005.\n\n\nObjectives, Scope, and Methodology\n\nThe objective of this audit was to assess the effectiveness of GSA\xe2\x80\x99s IT Security Program and\npractices for select systems in meeting FISMA requirements. Our response to specific questions\noutlined in the Office of Management and Budget (OMB) FY 2006 reporting guidance for\nFISMA is included in Appendix A. This audit report is provided for inclusion as an appendix in\nGSA\xe2\x80\x99s FY 2006 FISMA report and FY 2008 budget submission to the OMB.\n\nWe met with Agency IT security officials in the GSA Office of the Chief Information Officer\n(GSA-OCIO) and in Services, Staff Offices, and Regions (S/SO/R), including the GSA Senior\nAgency Information Security Officer (SAISO), Information System Security Managers (ISSMs),\nand Information System Security Officers (ISSOs) for select systems. In 2006, we reviewed\nsecurity controls for 10 systems across GSA, which included six components of larger systems,\nto assess the comprehensiveness of the implementation of the Agency IT Security Program.\nAppendix B lists the 10 systems reviewed as part of this audit. We reviewed GSA\xe2\x80\x99s agency-\nwide IT Security Policy1 and procedures, standards, and guidelines for implementing GSA\xe2\x80\x99s IT\nSecurity Program. To obtain information on commonly accepted IT security principles and\npractices, we used the National Institute of Standards and Technology (NIST) Federal\nInformation Processing Standards Publications, and Special Publication 800 series security\nguidelines. We also reviewed GSA\xe2\x80\x99s annual financial statement audit report for FY 2005, and\nthe related management letter.\n\nTo assess the effectiveness of GSA\xe2\x80\x99s IT Security Program implementation, we examined risk\nassessments, system security plans, security assessment results, certification and accreditation\n(C&A) letters, contingency plans, and Plans of Action and Milestones (POA&M) for each\nsystem. In addition to reviewing the comprehensiveness of documentation, we evaluated\nadditional managerial, technical and operational controls including: vulnerability scanning,\ndatabase configuration testing, and reviews of environmental and physical security, background\ninvestigations, and training. During our FISMA review, we performed a detailed analysis of one\nweb application, initiated a broader review of web application security to address input\nvalidation, and issued an Alert Report in May 2006. Office of Inspector General (OIG) Alert\n\n\n1\n    GSA Order CIO P 2100.1C - GSA Information Technology Security Policy, February 17, 2006.\n                                                        1\n\x0cReports are issued when significant, immediate internal audit concerns need to be conveyed to\nagency management before the completion of an ongoing review.\n\nIn addition to FISMA, we reviewed other applicable regulations and policies, including: OMB\nCircular A-130 Revised, Appendix III, Security of Federal Automated Information Resources,\nNovember 2000; GSA Order CIO P 2100.1C - GSA Information Technology Security Policy,\nFebruary 17, 2006; GSA\xe2\x80\x99s procedural guides on conducting risk assessments, C&A, incident\nhandling, and related technical hardening guides and standards, available on the GSA-OCIO\xe2\x80\x99s IT\nSecurity Intranet site; NIST Federal Information Processing Standards Publications, and 800\nseries Special Publications (SP); and Homeland Security Presidential Directive (HSPD) 12\n\xe2\x80\x9cPolicy for a Common Identification Standard for Federal Employees and Contractors,\xe2\x80\x9d August\n27, 2004.\n\nAudit work was performed between March 2006 and August 2006 in accordance with generally\naccepted government auditing standards.\n\n\n\n\n                                              2\n\x0c                                     RESULTS OF AUDIT\n\nEfforts to better secure GSA\xe2\x80\x99s systems continue, but system security officials do not consistently\nensure effective implementation of GSA\xe2\x80\x99s IT Security Policy due, in part, to a lack of\naccountability and the need for program policies and procedures that measure individual\nperformance. In our vulnerability scanning of systems reviewed for FISMA, sample systems\nhave shown improvements as evidenced by a decrease in the number of critical vulnerabilities\nwe identified from 140 in 2005 to 19 in 2006. While the Senior Agency Information Security\nOfficer (SAISO) has taken steps over the last year to address previously reported weaknesses, we\ncontinue to find instances where Information System Security Officers (ISSOs) and Information\nSystem Security Managers (ISSMs) did not ensure that systems were properly secured. We\nconcluded that effective implementation of GSA\'s IT Security Program at the system level is\ndependent upon improved accountability for persons with key IT security responsibilities.\nFurther, there is a need for improved policy and procedures to establish standardized\nperformance goals and measures for associates and contractors performing ISSO and ISSM\nresponsibilities, since these individuals do not typically report directly to the GSA Office of the\nChief Information Officer (GSA-OCIO). Accountability in the IT Security Program also\ndepends on periodic assessments of performance goal accomplishment for each ISSO and ISSM,\nand the results of those assessments being provided to the appropriate ISSO, ISSM, and\nAuthorizing Official (AO). Finally, an analysis of technical security controls for web\napplications and Voice over Internet Protocol (VoIP) implementations found that GSA\xe2\x80\x99s IT\nSecurity Program would also benefit from a more proactive approach to addressing emerging IT\nsecurity risks.\n\nAppendix A contains our responses to specific FISMA questions, as requested by OMB. Our\nresponses include assessments of the security of contractor provided solutions and agency\nsystems, including components of larger major applications and general support systems.\nComponents of larger systems were selected, as noted in Appendix B, since it is important that\nsystem owners ensure that all applications within defined system boundaries are secured. While\nall systems reported having a current Certification and Accreditation (C&A), the process was not\nimplemented consistently for systems reviewed, where we identified incomplete risk\nassessments, system security plans, and security assessments. Three systems did not have\nproperly tested contingency plans. Two systems operated for GSA by contractors were not\nprovided GSA\'s IT Security Policy and were not being effectively monitored to ensure\ninformation was being protected. Background investigations were not requested for one of the\ntwo systems.\n\nStandardized IT System Security Performance Goals and Measures Are Not In Place To\nEstablish Accountability in GSA\'s IT Security Program\n\nWeaknesses in several areas continue in GSA\'s IT Security Program without standardized IT\nsecurity performance goals and measures in place to establish accountability for system security\nofficials, despite improving program controls in the areas of vulnerability scanning and\ncontinuous monitoring. Again this year, we identified weaknesses with implementation of the\nC&A process, contractor background investigations, and contractor provided solutions, when IT\nSecurity Program processes did not ensure that ISSOs and ISSMs fulfilled their defined roles.\n                                              3\n\x0cWhen assessing why we repeatedly find the same weaknesses, we determined that there was\nlittle evidence of ISSOs and ISSMs, whether associates or contractors, being held accountable\nfor the security of their systems by Authorizing Officials or the GSA-OCIO. While the GSA-\nCIO and the SAISO have IT security performance goals and measures, they have limited\ninfluence over ISSOs and ISSMs under the supervision of Authorizing Officials in Service, Staff,\nand Regional Offices responsible for carrying out system security directives.\n\nRecurring findings in three risk areas demonstrate the effects of not having standardized IT\nsecurity performance goals and measures in place for individuals assigned system security\nresponsibilities in GSA\'s IT Security Program. For most of the systems we reviewed, the C&A\nprocess was not being implemented consistently, background investigations were not always\nbeing requested for contractors working with GSA systems, and security officials were not\nproviding adequate oversight of contractor provided solutions.\n\n       Certification and Accreditation Process\n       As reported in previous FISMA audits, the C&A process has not been consistently\n       implemented across the Agency. In 2004, we reported that for the systems we reviewed\n       the C&A process was not implemented consistently, not updated after major system\n       changes, or not completed. We recommended strengthening policy and procedures to\n       better manage risks by incorporating controls to ensure that C&A documentation,\n       including risk assessments, security plans, and security plan testing and evaluations are\n       current and complete. In 2005, we reported that the C&A process was not consistently\n       implemented and recommended that the GSA-OCIO improve security over GSA\xe2\x80\x99s data\n       and IT assets by taking actions to increase oversight of the implementation of GSA\xe2\x80\x99s IT\n       Security Policy and procedures related to C&A. The GSA\xe2\x80\x99s C&A process was revised to\n       include oversight by GSA\xe2\x80\x99s Office of the SAISO. The requirement for an IT security\n       office review of C&A documents should strengthen the process over the next few years,\n       but does not appropriately focus on accountability for system security officials. In 2006,\n       we again found inconsistent implementation of the C&A process where we identified\n       incomplete risk assessments, system security plans, security assessments, and\n       contingency plans for systems reviewed. C&A documentation for a general support\n       system was not updated to address additional functionality of the reviewed component.\n       A contractor provided system did not follow GSA procedural guides when developing\n       C&A documentation. ISSOs and ISSMs should have detected and initiated correction of\n       the deficiencies identified in C&A documentation.\n\n       Contractor Background Investigations\n       Risks resulting from the lack of background investigations on contractors supporting\n       GSA systems have been consistently identified since 2003, when we reported this issue\n       as a significant deficiency. In 2004, we again reported the issue, recognizing a\n       significant backlog in completing required investigations. We recommended developing\n       compensating controls to reduce risks. In 2005, we reported that GSA systems and\n       sensitive Privacy Act Data were at risk of being compromised due to incomplete\n       background investigations and again recommended the identification and adoption of\n       compensating controls. A requirement was added for a completed FBI National Criminal\n       History Check (Fingerprint Check) before initial access to systems is granted. GSA\n       further reduced risks by completing over 1,600 Fingerprint Checks and 568 contractor\n       background investigations of varying types between October 2005 and July 2006.\n       Despite the Agency\'s efforts, we identified multiple systems where background\n                                               4\n\x0c       investigations on contractors supporting GSA systems were not requested during our\n       2006 reviews.       Independent assessments of ten systems found that background\n       investigations were not completed for approximately two thirds of the identified contractors\n       allowed access to these systems or data. The GSA IT Security Policy places responsibility\n       on the ISSO to assist the Data Owner and Authorizing Official in ensuring users have\n       required background investigations. Although the GSA-OCIO has taken action on our\n       recommendations, there are no apparent consequences for non-compliance on the part of\n       system security officials. Appendix C lists the status of background investigations for\n       contractors supporting the ten systems reviewed and the types of checks performed. Data\n       Owners and ISSOs for eight of the nine systems utilizing contractor support personnel\n       had not ensured that all required background investigations were completed. OMB\n       Circular A-130, Appendix III requires that individuals in roles with the ability to bypass\n       significant technical and operational controls be screened prior to performing those roles.\n       We identified systems where contractors were performing key system administrator\n       duties before the completion of their background investigations. One ISSO, whose\n       primary responsibility is not security, incorrectly believed that it was not necessary to\n       conduct background investigations for personnel supporting a contractor provided system\n       on behalf of a GSA program. Under another ISSO, whose primary function is system\n       Team Leader, a less rigorous background investigation than required was requested for\n       contractor support personnel.\n\n       Contractor Provided Solutions Not Secured\n       GSA\'s IT Security Program has not been effective in consistently enforcing policy and\n       procedures for contractor owned and operated systems supporting GSA programs and\n       maintaining GSA data. In 2004 and 2005, we reported on contractor provided solutions\n       that were not compliant with the Agency IT Security Policy and procedures required by\n       their contracts with GSA. In 2006, as in prior years, contractors providing solutions for\n       GSA were not provided with GSA\xe2\x80\x99s IT Security Policy and procedures by the ISSO,\n       were not adequately monitored for compliance with the Agency IT Security Policy, and\n       were unaware of several vulnerabilities detected during our review. These findings\n       confirm that efforts to implement prior audit recommendations did not consistently\n       improve security for contractor provided solutions. According to the GSA IT Security\n       Policy, it is the responsibility of system security officials, including the ISSO, to ensure\n       the system is operated, used, maintained, and disposed of in accordance with internal\n       security policies and procedures. However, based on our reviews, there has been a\n       consistent lack of accountability to ensure that ISSOs and other officials oversee\n       contractor provided solutions.\n\nThe three identified risk areas demonstrate the need to modify the IT Security Program in a way\nthat will help Authorizing Officials ensure the security of their systems, accomplish GSA\'s\nFISMA goals, and effectively implement GSA\'s IT Security Policy. Evaluating performance of\nISSOs and ISSMs based on standardized IT security goals and measures, as part of individual\nperformance assessments, would effectively promote implementation and improve\naccountability. We believe that the GSA-CIO should engage the Administrator\xe2\x80\x99s support for\ndeveloping standardized performance goals and measures for ISSOs and ISSMs across GSA\nService, Staff, and Regional Offices, with periodic assessments of performance based on\nestablished measures. The GSA-OCIO should also collaborate with the Office of the Chief\nAcquisition Officer to develop contract and task order performance requirements when procuring\nISSO and ISSM services for GSA systems, similar to the performance goals and measures used\n                                                5\n\x0cfor GSA associates in these roles. Making IT security goals and measures a part of the\nindividual performance appraisal process would be the most effective approach to providing\naccountability, reducing recurring risks, and improving the security of GSA\'s IT assets.\n\n\nAdditions and Modifications to GSA\'s IT Security Policy and Procedures Are Needed To\nProvide Program Accountability\n\nIn order to provide accountability and address recurring weaknesses with implementing GSA\'s\nIT Security Program, we identified opportunities for additions and modifications to GSA\xe2\x80\x99s IT\nSecurity Policy and procedures in five areas to assist system security officials in\ncomprehensively addressing system risk, fulfilling their responsibilities, and maintaining\neffective internal controls. Additions and modifications to policies and procedures would assist\nthe SAISO and Authorizing Officials in evaluating the effectiveness of ISSOs and ISSMs\nsupporting GSA\'s systems.\n\n           Guidance as the Basis for Performance Goals and Measures\n           The GSA IT Security Policy directs system security officials to a variety of procedural\n           guides, NIST publications, and best practices, but the Agency has not developed an ISSO\n           procedural guide or an ISSM procedural guide for implementing role-specific security\n           responsibilities. This lack of specific guidance contributes to weaknesses identified with\n           the C&A process, background investigations, and contractor provided solutions, in\n           instances where ISSOs and ISSMs did not consistently fulfill their roles as defined in\n           GSA\'s IT Security Policy. Procedural guidance should delineate the specific processes\n           for completing assigned ISSO and ISSM responsibilities, establish clear performance\n           goals and measures, and provide a basis for evaluations. When contractors are providing\n           ISSO and ISSM services, the GSA-OCIO should also require that contract and task order\n           performance requirements are included, similar to the performance goals and measures to\n           be used for GSA associates in these roles.\n\n           Persons with Security Responsibilities\n           Contracting Officers (COs) and Contracting Officer\'s Technical Representatives\n           (COTRs) are not identified in Chapter 2 of the GSA IT Security Policy as individuals\n           with security roles and responsibilities. The policy does state in Chapter 1 that "GSA\n           system program managers and contracting officers shall ensure that the appropriate\n           security requirements of this order are put on contract for all IT systems designed,\n           developed, implemented, and operated by a contractor on behalf of the government."\n           NIST SP 800-35, Guide To Information Technology Security Services,2 which provides\n           guidance for contracting officials, includes COs and COTRs as persons with roles and\n           responsibilities when contracting for security services. With current Personnel Security\n           Requirements Division procedures, COTRs initiate contractor background investigations,\n           and take action in the case of an unfavorable adjudication on contractors supporting GSA\n           systems. Contractor services were employed for nine of the ten systems we reviewed this\n           year and we identified multiple instances where COTRs had not requested all required\n           background investigations. Adding COs and COTRs to the IT Security Policy, Chapter 2\n           Roles and Responsibilities, would clarify IT security responsibilities. In addition, the\n\n\n2\n    NIST SP 800-35 - Guide To Information Technology Security Services, October 2003.\n                                                        6\n\x0c           Contractor Operations section of GSA\'s IT Security Policy should be clarified to require\n           that task orders, as well as contracts, include appropriate security requirements.\n\n           Background Investigation Roles and Responsibilities\n           GSA\xe2\x80\x99s IT Security Policy is not consistent with other Agency directives for ensuring that\n           background investigations are completed on persons supporting GSA systems. The\n           policy directs that background investigations be conducted in accordance with Standard\n           Operating Procedures for HSPD-12 and the GSA Suitability and Personnel Security\n           Handbook.3 However, the Agency IT Security Policy is not consistent with processes in\n           place for contractor background investigations. GSA\'s IT Security Policy states that\n           ISSOs are to assist the Authorizing Official and Data Owner in ensuring that required\n           background investigations are completed. In contrast, the GSA Personnel Security\n           Requirements Division staff, responsible for adjudicating background investigations,\n           informed us that responsibility for requesting contractor background investigations is\n           with the COTR, not the officials identified in the IT Security Policy. Clarification of the\n           Agency IT Security Policy would facilitate improved implementation of contractor\n           background investigations where COTRs are responsible for requests.\n\n           Information System Security Officer and Information System Security Manager\n           Assignments\n           An additional factor contributing to security weaknesses was the assignment of an ISSO\n           with a lack of IT knowledge and experience commensurate with duties of an ISSO. For a\n           contractor provided E-Government call center system that processes, stores, and transmits\n           private citizen\'s names, addresses, and credit card numbers, the ISSO did not ensure that\n           contractor personnel were following GSA IT Security Policy and procedures.\n           Specifically, the ISSO did not provide the contractor with the Agency\'s IT Security\n           Policy and guidance, and when we inquired about IT security for the system, the ISSO\n           directed us to contact the contractor\xe2\x80\x99s security manager. Under the current Agency IT\n           Security Program, ISSOs and ISSMs are assigned without defined minimum\n           qualifications or approval by the SAISO.\n\n           Segregation of Security Responsibilities\n           In some instances, security roles are not properly segregated, as required by OMB, and as\n           intended by the IT Security Policy. Out of 79 GSA systems, six systems had one\n           individual performing both the ISSO and ISSM roles. Of the six systems, two Regional\n           general support systems had the same individual acting as ISSM, ISSO, and System\n           Program/Project Manager. Security responsibilities are routinely \xe2\x80\x9cother duties as\n           assigned,\xe2\x80\x9d secondary to the individual\xe2\x80\x99s primary job responsibilities. For a system in our\n           sample where security documentation was not comprehensive and the POA&M was\n           missing identified security weaknesses, a contributing factor was a lack of segregation of\n           ISSO, ISSM, and System Program/Project Manager responsibilities.\n\n           OMB Circular A-1234 has specifically directed that within the Agency\'s structure,\n           management should clearly: "define areas of authority and responsibility; appropriately\n           delegate the authority and responsibility throughout the agency; establish a suitable\n           hierarchy for reporting; support appropriate human capital policies for hiring, training,\n\n3\n    GSA Order ADM P 9732.1C, Suitability and Personnel Security, January 15, 1998.\n4\n    OMB Circular A-123, Management\xe2\x80\x99s Responsibility for Internal Control, December 21, 2004.\n                                                        7\n\x0c          evaluating, counseling, advancing, compensating and disciplining personnel; and uphold\n          the need for personnel to possess and maintain the proper knowledge and skills to\n          perform their assigned duties as well as understand the importance of maintaining\n          effective internal control within the organization." Control activities include policies,\n          procedures and mechanisms in place to help ensure that agency objectives are met, such\n          as proper segregation of duties. Internal control also needs to be in place over\n          information systems, and due to the rapid changes in information technology, controls\n          must also adjust to remain effective. As such, an individual should not be assigned to\n          the roles of ISSO and ISSM for a single GSA system.\n\nTo strengthen and clarify GSA\xe2\x80\x99s IT Security Policy, the GSA-OCIO should develop procedural\nguidance necessary to set and monitor IT security performance goals and measures for system\nsecurity officials. COs and COTRs should be added to the list of persons with IT security\nresponsibilities, and roles and responsibilities for the background investigation process should be\nclarified. Further, the GSA-OCIO should collaborate with the GSA Personnel Security\nRequirements Division to identify and implement controls that effectively ensure all requisite\ncontractor background investigations are initiated. The Contractor Operations section of GSA\nIT Security Policy should be clarified to require that task orders, as well as contracts, include\nappropriate security requirements. Additionally, the GSA-OCIO should require the SAISO to\nreview and approve ISSO and ISSM assignments and require that one individual cannot act as\nboth the ISSO and ISSM for a single system.\n\nGSA Would Benefit From A More Proactive Approach for Addressing Emerging Risks\n\nDuring this year\xe2\x80\x99s audit fieldwork, we identified emerging risks that have not yet been addressed\nin specific GSA IT security procedural and technical/hardening guides. A more proactive\napproach would benefit system owners in securing web applications and Voice over Internet\nProtocol (VoIP) implementations by addressing risks associated with these technologies. While\nthe IT Security Subcommittee of the Information Technology Architecture Planning Committee\n(ITAPC) meets regularly, the subcommittee has not been proactive in addressing emerging risks\nsuch as those identified in this year\'s FISMA security reviews.\n\n          Web Application Security\n          The importance of web application security is increasing as applications move to this\n          expanded form of connectivity. Over 70 percent of attacks against web sites or web\n          applications come at the application layer, not the network or system layer. The Open\n          Web Application Security Project (OWASP) reports that, "Insecure software has its\n          consequences, but insecure web applications, exposed to millions of users through the\n          Internet are a growing concern."5 Attacks on web applications, both internal and\n          external, bypass traditional network firewall and password access controls and may not\n          be monitored. Attackers are increasingly targeting web applications, which have\n          traditionally not been secured as well as network perimeters. Web based phishing attacks\n          attempting to trick users into disclosing personal and proprietary information are also\n          exploiting the inherent public trust in .gov web sites.\n\n          In May 2006, we issued an Alert Report to address two significant areas of risk with web\n          applications that needed to be more comprehensively addressed in GSA\xe2\x80\x99s IT Security\n\n5\n    OWASP, The Ten Most Critical Web Application Security Vulnerabilities, 2004 Update.\n                                                        8\n\x0c        Policy, C&A guidance, and monitoring practices. Vulnerabilities were found with web\n        application security due to insufficient input validation and unsecured web servers\n        running outdated and unsupported operating system software. Unmanaged vulnerabilities\n        have the potential to harm the public\'s trust and increase resistance to sharing information\n        with GSA and other government agencies. The Agency updated C&A procedural\n        guidance to include testing for web application vulnerabilities, performed an assessment\n        of 18 Internet-facing web applications, and trained ten GSA personnel on web application\n        security. The GSA-OCIO also awarded a web application security scanning contract in\n        July 2006 and implemented a requirement that all new GSA web applications must be\n        tested for vulnerabilities before being published on the Internet.\n\n        Voice over Internet Protocol Security\n        VoIP, the transmission of voice over packet-switched IP networks, is one of the most\n        important emerging trends in telecommunications. As with many new technologies,\n        VoIP introduces both security risks and opportunities. VoIP has a very different\n        architecture than traditional circuit-based telephony, and these differences result in\n        significant security issues. Lower cost and greater flexibility are among the promises of\n        VoIP for the enterprise, but VoIP should not be installed without careful consideration of\n        the security problems introduced.6\n\n        In 2005 and 2006, we found Regional deployments of VoIP susceptible to multiple\n        critical system and architectural vulnerabilities that would have benefited from guidance\n        on implementing these VoIP deployments. The Agency IT Security Policy directs GSA\n        employees and contractors to use NIST SP 800-58 as a guide, but does not provide\n        vendor-specific implementation configuration settings and guidance necessary to\n        properly secure these deployments. Additionally, several risks identified in NIST SP\n        800-58 were not addressed as part of the implementation process for either system.\n\nGSA systems have shown improvements, as evidenced by a decrease in the number of critical\nvulnerabilities we identified from 140 in the ten systems sampled in 2005 to 19 in ten different\nsystems sampled in 2006. However, the GSA-OCIO should develop technical/hardening guides\nfor newly identified emerging risk areas to benefit system developers and system owners.\nAdditionally, the ITAPC IT Security Subcommittee should regularly take actions to address risks\nwith emerging technologies.\n\n\n\n\n6\n National Institute of Standards and Technology. NIST Special Publication 800-58, Security Considerations for\nVoice over IP Systems, January 2005.\n                                                     9\n\x0c                                  RECOMMENDATIONS\n\nTo strengthen GSA\'s IT Security Program and improve the security of information technology\nassets, we recommend that the GSA, Chief Information Officer take actions to:\n\n   1. Implement improved accountability for associates and contractors supporting GSA\'s IT\n      Security Program by taking actions to:\n         a. Engage the Administrator\xe2\x80\x99s support for developing standardized performance\n             goals and measures for Information System Security Officers and Information\n             System Security Managers across GSA Service, Staff, and Regional Offices, with\n             periodic assessments of performance by the Senior Agency Information System\n             Officer for use in performance evaluations.\n         b. Require that contracts and task orders for Information System Security Officer\n             and Information System Security Manager services, in support of GSA systems,\n             include performance requirements similar to goals and measures being established\n             for GSA associates in these roles.\n         c. Collaborate with the GSA Personnel Security Requirements Division to identify\n             and implement procedures and controls that effectively ensure prompt initiation of\n             contractor background investigations for individuals accessing GSA systems and\n             data.\n\n   2. Strengthen GSA\'s IT Security Policy and procedures in the following areas:\n          a. Develop guidance and directives necessary to establish and monitor IT security\n             performance goals and measures for Information System Security Officers and\n             Information System Security Managers.\n          b. Require Senior Agency Information Security Officer approval of Information\n             System Security Officer and Information System Security Manager assignments.\n          c. Add the roles of Contracting Officer and Contracting Officer\xe2\x80\x99s Technical\n             Representative as persons with IT security responsibilities, and clarify the\n             responsibilities of systems security officials in the background investigation\n             process.\n          d. Segregate IT security roles and responsibilities by requiring that one individual\n             cannot be both the Information System Security Officer and Information System\n             Security Manager for a single system.\n          e. Clarify the Contractor Operations section of the policy to require that task orders,\n             as well as contracts, include appropriate security requirements.\n\n   3. Ensure that the Information Technology Architecture Planning Committee, IT Security\n      Subcommittee regularly takes actions to address risks with emerging technologies.\n\n   4. Develop and implement technical/hardening guides for securing web applications and\n      Voice over Internet Protocol.\n\n\n\n\n                                              10\n\x0c                               MANAGEMENT COMMENTS\n\nA copy of the GSA-CIO\xe2\x80\x99s comments will be included in their entirety as Appendix D.\n\n                                  INTERNAL CONTROLS\n\nAs discussed in the Objectives, Scope, and Methodology section of this report, the objective of\nour review was to assess the effectiveness of GSA\'s IT Security Program and practices for select\nsystems in meeting FISMA requirements. While this audit included a review of management,\noperational, and technical controls for 10 GSA systems, we did not test all system controls across\nthe agency. The Results of Audit and Recommendations sections of this report state in detail the\nneed to strengthen specific managerial, operational, and technical controls with the IT Security\nProgram.\n\n\n\n\n                                               11\n\x0c                    FY 2006 OFFICE OF INSPECTOR GENERAL\n                    FISMA REVIEW OF GSA\xe2\x80\x99S INFORMATION\n                      TECHNOLOGY SECURITY PROGRAM\n                      REPORT NUMBER A060123/O/T/F06018\n\n          GSA, OFFICE OF INSPECTOR GENERAL RESPONSES TO\n     THE OFFICE OF MANAGEMENT AND BUDGET\xe2\x80\x99S FISMA QUESTIONS\n\n\n\n\nThe EXCEL Workbook displayed on the following pages is transmitted in a separate file\n        using the format directed by the Office of Management and Budget.\n\n\n\n\n                                        A-1\n\x0c                                                                                                      Section C: Inspector General. Questions 1, 2, 3, 4, and 5.\n\n                                                                                                                            Agency Name:\n\n\n\n\n                                                                                                                           Question 1 and 2\n\n\n\n1. As required in FISMA, the IG shall evaluate a representative subset of systems, including information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency. By FIPS 199 risk\nimpact level (high, moderate, low, or not categorized) and by bureau, identify the number of systems reviewed in this evaluation for each classification below (a., b., and c.).\n\n\n\n              To meet the requirement for conducting a NIST Special Publication 800-26 review, agencies can:\n              1) Continue to use NIST Special Publication 800-26, or,\n              2) Conduct a self-assessment against the controls found in NIST Special Publication 800-53\n\n\n              Agencies are responsible for ensuring the security of information systems used by a contractor of their agency or other organization on behalf of their agency, therefore, self reporting by contractors does not meet the requirements of law. Self\n              reporting by another Federal agency, for example, a Federal service provider, may be sufficient. Agencies and service providers have a shared responsibility for FISMA compliance.\n\n\n\n\n2. For each part of this question, identify actual performance over the past fiscal year by risk impact level and bureau, in the format provided below. From the representative subset of systems evaluated, identify the number of systems which\nhave completed the following: have a current certification and accreditation , a contingency plan tested within the past year, and security controls tested within the past year.\n\n\n\n\n                                                                                                                           Question 1                                                                                Question 2\n                                                                                                  a.                           b.                            c.                              a.                         b.                           c.\n                                                                                            Agency Systems             Contractor Systems          Total Number of Systems         Number of systems         Number of systems for         Number of systems for\n                                                                                                                                                                                 certified and accredited    which security controls      which contingency plans\n                                                                                                                                                                                                              have been tested and          have been tested in\n                                                                                                                                                                                                            evaluated in the last year   accordance with policy and\n                                                                                                                                                                                                                                                 guidance\n\n\n\n\n                                                              FIPS 199 Risk Impact        Total          Number         Total        Number                        Number         Total       Percent of      Total       Percent of\nBureau Name                                                           Level              Number         Reviewed       Number       Reviewed       Total Number   Reviewed       Number         Total        Number         Total    Total Number Percent of Total\nPublic Buildings Service (PBS)                                   High                                                                                         0              0                 #DIV/0!                     #DIV/0!                    #DIV/0!\n                                                                 Moderate                        10                2                                         10              2            2       100.0%              2       100.0%            2         100.0%\n                                                                 Low                                                                                          0              0                 #DIV/0!                     #DIV/0!                    #DIV/0!\n                                                                 Not Categorized                                                                              0              0                 #DIV/0!                     #DIV/0!                    #DIV/0!\n                                                             Sub-total                           10                2            0              0             10              2            2       100.0%              2       100.0%            2         100.0%\nFederal Supply Service (FSS)                                     High                                                                                         0              0                 #DIV/0!                     #DIV/0!                    #DIV/0!\n                                                                 Moderate                         2                             9              1             11              1            1       100.0%              1       100.0%            0            0.0%\n                                                                 Low                              1                             3                             4              0                 #DIV/0!                     #DIV/0!                    #DIV/0!\n                                                                 Not Categorized                                                                              0              0                 #DIV/0!                     #DIV/0!                    #DIV/0!\n                                                             Sub-total                            3                0          12               1             15              1            1       100.0%              1       100.0%            0            0.0%\nFederal Technology Service (FTS)                                 High                                                                                         0              0                 #DIV/0!                     #DIV/0!                    #DIV/0!\n                                                                 Moderate                         2                             6              1              8              1            1       100.0%              1       100.0%            1         100.0%\n                                                                 Low                              2                             2                             4              0                 #DIV/0!                     #DIV/0!                    #DIV/0!\n                                                                 Not Categorized                                                                              0              0                 #DIV/0!                     #DIV/0!                    #DIV/0!\n                                                             Sub-total                            4                0            8              1             12              1            1       100.0%              1       100.0%            1         100.0%\nOffice of the Chief Acquisition Officer (OCAO)                   High                                                                                         0              0                 #DIV/0!                     #DIV/0!                    #DIV/0!\n                                                                 Moderate                                                       4                             4              0                 #DIV/0!                     #DIV/0!                    #DIV/0!\n                                                                 Low                              1                             3                             4              0                 #DIV/0!                     #DIV/0!                    #DIV/0!\n                                                                 Not Categorized                                                                              0              0                 #DIV/0!                     #DIV/0!                    #DIV/0!\n                                                             Sub-total                            1                0            7              0              8              0            0    #DIV/0!                0    #DIV/0!              0     #DIV/0!\nOffice of Governmentwide Policy (OGP)                            High                                                                                         0              0                 #DIV/0!                     #DIV/0!                    #DIV/0!\n                                                                 Moderate                         1                                                           1              0                 #DIV/0!                     #DIV/0!                    #DIV/0!\n                                                                 Low                              3                             2                             5              0                 #DIV/0!                     #DIV/0!                    #DIV/0!\n                                                                 Not Categorized                                                                              0              0                 #DIV/0!                     #DIV/0!                    #DIV/0!\n                                                             Sub-total                            4                0            2              0              6              0            0    #DIV/0!                0    #DIV/0!              0     #DIV/0!\nOffice of Chief Information Officer (CIO)                        High                                                                                         0              0                 #DIV/0!                     #DIV/0!                    #DIV/0!\n                                                                 Moderate                         2                1                                          2              1            1       100.0%              1       100.0%            1         100.0%\n                                                                 Low                                                                                          0              0                 #DIV/0!                     #DIV/0!                    #DIV/0!\n                                                                 Not Categorized                                                                              0              0                 #DIV/0!                     #DIV/0!                    #DIV/0!\n                                                             Sub-total                            2                1            0              0              2              1            1       100.0%              1       100.0%            1         100.0%\nOffice of Chief Finance Officer (CFO)                            High                                                                                         0              0                 #DIV/0!                     #DIV/0!                    #DIV/0!\n                                                                 Moderate                         1                             3              1              4              1            1       100.0%              1       100.0%            1         100.0%\n                                                                 Low                                                                                          0              0                 #DIV/0!                     #DIV/0!                    #DIV/0!\n                                                                 Not Categorized                                                                              0              0                 #DIV/0!                     #DIV/0!                    #DIV/0!\n                                                             Sub-total                            1                0            3              1              4              1            1       100.0%              1       100.0%            1         100.0%\nOffice of Chief People Officer (CPO)                             High                                                                                         0              0                 #DIV/0!                     #DIV/0!                    #DIV/0!\n                                                                 Moderate                         1                             1                             2              0                 #DIV/0!                     #DIV/0!                    #DIV/0!\n                                                                 Low                                                                                          0              0                 #DIV/0!                     #DIV/0!                    #DIV/0!\n                                                                 Not Categorized                                                                              0              0                 #DIV/0!                     #DIV/0!                    #DIV/0!\n                                                             Sub-total                            1                0            1              0             2               0            0    #DIV/0!                0     #DIV/0!                  0      #DIV/0!\nOffice of the Inspector General (OIG)                            High                                                                                        0               0                 #DIV/0!                      #DIV/0!                         #DIV/0!\n                                                                Moderate                          1                                                          1               0                 #DIV/0!                      #DIV/0!                         #DIV/0!\n                                                                Low                                                                                          0               0                 #DIV/0!                      #DIV/0!                         #DIV/0!\n                                                                Not Categorized                                                                              0               0                 #DIV/0!                      #DIV/0!                         #DIV/0!\n                                                             Sub-total                            1                0            0              0             1               0            0    #DIV/0!                0     #DIV/0!                  0      #DIV/0!\nOffice of General Counsel (OGC)                                  High                                                                                        0               0                 #DIV/0!                      #DIV/0!                         #DIV/0!\n                                                                 Moderate                                                                                    0               0                 #DIV/0!                      #DIV/0!                         #DIV/0!\n                                                                 Low                              1                                                          1               0                 #DIV/0!                      #DIV/0!                         #DIV/0!\n                                                                 Not Categorized                                                                             0               0                 #DIV/0!                      #DIV/0!                         #DIV/0!\n                                                             Sub-total                            1                0            0              0             1               0            0    #DIV/0!                0     #DIV/0!                  0      #DIV/0!\nBoard of Contract Appeals (BCA)                                  High                                                                                        0               0                 #DIV/0!                      #DIV/0!                         #DIV/0!\n                                                                 Moderate                                                                                    0               0                 #DIV/0!                      #DIV/0!                         #DIV/0!\n                                                                 Low                              1                                                          1               0                 #DIV/0!                      #DIV/0!                         #DIV/0!\n                                                                 Not Categorized                                                                             0               0                 #DIV/0!                      #DIV/0!                         #DIV/0!\n                                                             Sub-total                            1                0            0              0             1               0            0    #DIV/0!                0     #DIV/0!                  0      #DIV/0!\nOffice of Citizen Services and Communications (OCSC)             High                                                                                        0               0                 #DIV/0!                      #DIV/0!                         #DIV/0!\n                                                                 Moderate                                                                                    0               0                 #DIV/0!                      #DIV/0!                         #DIV/0!\n                                                                 Low                                                            2              1             2               1            1       100.0%              1        100.0%                0            0.0%\n                                                                Not Categorized                                                                              0               0                 #DIV/0!                      #DIV/0!                         #DIV/0!\n                                                             Sub-total                            0                0            2              1             2               1            1       100.0%              1        100.0%                0            0.0%\nRegion 1                                                         High                                                                                        0               0                 #DIV/0!                      #DIV/0!                         #DIV/0!\n                                                                 Moderate                         1                                                          1               0                 #DIV/0!                      #DIV/0!                         #DIV/0!\n\n\n\n\n                                                                                                                                    A-2\n\x0c                                                              Low                                                                                         0             0                    #DIV/0!                     #DIV/0!                       #DIV/0!\n                                                              Not Categorized                                                                             0             0                    #DIV/0!                     #DIV/0!                       #DIV/0!\n                                                           Sub-total                            1               0           0              0              1             0             0      #DIV/0!                0    #DIV/0!                0      #DIV/0!\nRegion 2                                                       High                                                                                       0             0                    #DIV/0!                     #DIV/0!                       #DIV/0!\n                                                              Moderate                          1                                                         1             0                    #DIV/0!                     #DIV/0!                       #DIV/0!\n                                                              Low                                                                                         0             0                    #DIV/0!                     #DIV/0!                       #DIV/0!\n                                                              Not Categorized                                                                             0             0                    #DIV/0!                     #DIV/0!                       #DIV/0!\n                                                           Sub-total                            1               0           0              0              1             0             0      #DIV/0!                0    #DIV/0!                0      #DIV/0!\nRegion 3                                                      High                                                                                        0             0                    #DIV/0!                     #DIV/0!                       #DIV/0!\n                                                              Moderate                          1                                                         1             0                    #DIV/0!                     #DIV/0!                       #DIV/0!\n                                                              Low                                                                                         0             0                    #DIV/0!                     #DIV/0!                       #DIV/0!\n                                                              Not Categorized                                                                             0             0                    #DIV/0!                     #DIV/0!                       #DIV/0!\n                                                           Sub-total                            1               0           0              0              1             0             0      #DIV/0!                0    #DIV/0!                0      #DIV/0!\nRegion 4                                                      High                                                                                        0             0                    #DIV/0!                     #DIV/0!                       #DIV/0!\n                                                              Moderate                          2                                                         2             0                    #DIV/0!                     #DIV/0!                       #DIV/0!\n                                                              Low                                                                                         0             0                    #DIV/0!                     #DIV/0!                       #DIV/0!\n                                                              Not Categorized                                                                             0             0                    #DIV/0!                     #DIV/0!                       #DIV/0!\n                                                           Sub-total                            2               0           0              0              2             0             0      #DIV/0!                0    #DIV/0!                0      #DIV/0!\nRegion 5                                                      High                                                                                        0             0                    #DIV/0!                     #DIV/0!                       #DIV/0!\n                                                              Moderate                          2               2                                         2             2             2         100.0%              2       100.0%              2          100.0%\n                                                               Low                                                                                        0             0                    #DIV/0!                     #DIV/0!                       #DIV/0!\n                                                              Not Categorized                                                                             0             0                    #DIV/0!                     #DIV/0!                       #DIV/0!\n                                                           Sub-total                            2               2           0              0              2             2             2         100.0%              2       100.0%              2          100.0%\nRegion 6                                                      High                                                                                        0             0                    #DIV/0!                     #DIV/0!                       #DIV/0!\n                                                              Moderate                          2               1                                         2             1             1         100.0%              1       100.0%              0            0.0%\n                                                              Low                                                                                         0             0                    #DIV/0!                     #DIV/0!                       #DIV/0!\n                                                              Not Categorized                                                                             0             0                    #DIV/0!                     #DIV/0!                       #DIV/0!\n                                                           Sub-total                            2               1           0              0              2             1             1         100.0%              1       100.0%              0            0.0%\nRegion 7                                                      High                                                                                        0             0                    #DIV/0!                     #DIV/0!                       #DIV/0!\n                                                              Moderate                          1                                                         1             0                    #DIV/0!                     #DIV/0!                       #DIV/0!\n                                                              Low                                                                                         0             0                    #DIV/0!                     #DIV/0!                       #DIV/0!\n                                                              Not Categorized                                                                             0             0                    #DIV/0!                     #DIV/0!                       #DIV/0!\n                                                           Sub-total                            1               0           0              0              1             0             0      #DIV/0!                0    #DIV/0!                0      #DIV/0!\nRegion 8                                                      High                                                                                        0             0                    #DIV/0!                     #DIV/0!                       #DIV/0!\n                                                              Moderate                          2                                                         2             0                    #DIV/0!                     #DIV/0!                       #DIV/0!\n                                                              Low                                                                                         0             0                    #DIV/0!                     #DIV/0!                       #DIV/0!\n                                                              Not Categorized                                                                             0             0                    #DIV/0!                     #DIV/0!                       #DIV/0!\n                                                           Sub-total                            2               0           0              0              2             0             0      #DIV/0!                0    #DIV/0!                0      #DIV/0!\nRegion 9                                                      High                                                                                        0             0                    #DIV/0!                     #DIV/0!                       #DIV/0!\n                                                              Moderate                          1                                                         1             0                    #DIV/0!                     #DIV/0!                       #DIV/0!\n                                                              Low                                                                                         0             0                    #DIV/0!                     #DIV/0!                       #DIV/0!\n                                                              Not Categorized                                                                             0             0                    #DIV/0!                     #DIV/0!                       #DIV/0!\n                                                           Sub-total                            1               0           0              0              1             0             0      #DIV/0!                0    #DIV/0!                0      #DIV/0!\nRegion 10                                                     High                                                                                        0             0                    #DIV/0!                     #DIV/0!                       #DIV/0!\n                                                              Moderate                          1                                                         1             0                    #DIV/0!                     #DIV/0!                       #DIV/0!\n                                                              Low                                                                                         0             0                    #DIV/0!                     #DIV/0!                       #DIV/0!\n                                                              Not Categorized                                                                             0             0                    #DIV/0!                     #DIV/0!                       #DIV/0!\n                                                           Sub-total                            1               0           0              0              1             0             0      #DIV/0!                0    #DIV/0!                0      #DIV/0!\nNational Capitol Region (NCR)                                 High                                                                                        0             0                    #DIV/0!                     #DIV/0!                       #DIV/0!\n                                                              Moderate                          1                                                         1             0                    #DIV/0!                     #DIV/0!                       #DIV/0!\n                                                              Low                                                                                         0             0                    #DIV/0!                     #DIV/0!                       #DIV/0!\n                                                              Not Categorized                                                                             0             0                    #DIV/0!                     #DIV/0!                       #DIV/0!\n                                                           Sub-total                            1               0           0              0              1             0             0      #DIV/0!                0    #DIV/0!                0      #DIV/0!\nAgency Totals                                                  High                             0               0           0              0             0              0             0      #DIV/0!                0    #DIV/0!                0      #DIV/0!\n                                                               Moderate                        35               6          23              3            58              9             9         100.0%              9       100.0%              7           77.8%\n                                                               Low                              9               0          12              1            21              1             1         100.0%              1       100.0%              0            0.0%\n                                                               Not Categorized                  0               0           0              0             0              0             0      #DIV/0!                0    #DIV/0!                0      #DIV/0!\n\n                                                           Total                               44               6          35              4            79             10           10          100.0%              10      100.0%              7           70.0%\n                                                                                                                            Question 3\n\nIn the format below, evaluate the agency\xe2\x80\x99s oversight of contractor systems, and agency system inventory.\n\n\n                                                           The agency performs oversight and evaluation to ensure information systems used or operated by a contractor of the\n                                                           agency or other organization on behalf of the agency meet the requirements of FISMA, OMB policy and NIST guidelines,\n                                                           national security policy, and agency policy. Self-reporting of NIST Special Publication 800-26 and/or NIST 800-53\n                                                           requirements by a contractor or other organization is not sufficient, however, self-reporting by another Federal agency may\n                                                           be sufficient.\n\n                           3.a.                            Response Categories:                                                                                                           - Almost Always, for example, approximately 96-100% of the time\n                                                                - Rarely, for example, approximately 0-50% of the time\n                                                                - Sometimes, for example, approximately 51-70% of the time\n                                                                - Frequently, for example, approximately 71-80% of the time\n                                                                - Mostly, for example, approximately 81-95% of the time\n                                                                - Almost Always, for example, approximately 96-100% of the time\n\n\n\n\n                                                           The agency has developed an inventory of major information systems (including major national security systems) operated\n                                                           by or under the control of such agency, including an identification of the interfaces between each such system and all other\n                                                           systems or networks, including those not operated by or under the control of the agency.\n\n                                                           Response Categories:\n                          3.b.1.                                - Approximately 0-50% complete                                                                                                 - Approximately 96-100% complete\n                                                                - Approximately 51-70% complete\n                                                                - Approximately 71-80% complete\n                                                                - Approximately 81-95% complete\n                                                                - Approximately 96-100% complete\n\n\n\n                                                                                                                                                                                          Missing Agency Systems:\n\n\n\n\n                          3.b.2.                           If the Agency IG does not evaluate the Agency\'s inventory as 96-100% complete, please list the systems that are missing\n                                                           from the inventory.\n\n\n\n\n                                                                                                                                 A-3\n\x0c                                                                                                                                                                                        Missing Contractor Systems:\n\n\n\n\n                            3.c.                             The OIG generally agrees with the CIO on the number of agency owned systems.                                                                                    Yes\n\n\n\n                                                             The OIG generally agrees with the CIO on the number of information systems\n                            3.d.                             used or operated by a contractor of the agency or other organization on behalf of       the agency.                                                             Yes\n\n\n\n\n                            3.e.                             The agency inventory is maintained and updated at least annually.                                                                                               Yes\n\n\n\n\n                            3.f.                             The agency has completed system e-authentication risk assessments.                                                                                              Yes\n\n\n                                                                                                                                Question 4\n\n\n\n\nThrough this question, and in the format provided below, assess whether the agency has developed, implemented, and is managing an agency wide plan of action and milestone (POA&M) process. Evaluate the degree to which the following statements reflect\nthe status in your agency by choosing from the responses provided in the drop down menu. If appropriate or necessary, include comments in the area provided below.\n\nFor items 4a.-4.f, the response categories are as follows:\n\n      -   Rarely, for example, approximately 0-50% of the time\n      -   Sometimes, for example, approximately 51-70% of the time\n      -   Frequently, for example, approximately 71-80% of the time\n      -   Mostly, for example, approximately 81-95% of the time\n      -   Almost Always, for example, approximately 96-100% of the time\n\n\n\n\n                                                             The POA&M is an agency wide process, incorporating all known IT security weaknesses associated with information\n                            4.a.                                                                                                                                                         - Almost Always, for example, approximately 96-100% of the time\n                                                             systems used or operated by the agency or by a contractor of the agency or other organization on behalf of the agency.\n\n\n\n\n                                                             When an IT security weakness is identified, program officials (including CIOs, if they own or operate a system) develop,\n                            4.b.                                                                                                                                                         - Frequently, for example, approximately 71-80% of the time\n                                                             implement, and manage POA&Ms for their system(s).\n\n\n\n                                                             Program officials, including contractors, report to the CIO on a regular basis (at least quarterly) on their remediation\n                            4.c.                                                                                                                                                         - Almost Always, for example, approximately 96-100% of the time\n                                                             progress.\n\n\n\n                            4.d.                             CIO centrally tracks, maintains, and reviews POA&M activities on at least a quarterly basis.                                - Almost Always, for example, approximately 96-100% of the time\n\n\n                            4.e.                             OIG findings are incorporated into the POA&M process.                                                                       - Almost Always, for example, approximately 96-100% of the time\n\n\n                                                             POA&M process prioritizes IT security weaknesses to help ensure significant IT security weaknesses are addressed in a\n                            4.f.                                                                                                                                                         - Almost Always, for example, approximately 96-100% of the time\n                                                             timely manner and receive appropriate resources\n\nComments: The General Services Administration, Chief Information Officer has developed an agencywide POA&M process, all ten systems reviewed have a POA&M, and the majority of known IT security weaknesses were being managed in the POA&Ms.\nHowever, there was inconsistent implementation of the process. The POA&M for one Regional general support system did not include multiple weaknesses identified during the C&A process. The POA&M for a component of a larger major application did not\ninclude weaknesses identified for the component during vulnerability scanning.\n\n                                                                                                                                Question 5\n\n\n\n\nOIG Assessment of the Certification and Accreditation Process. OMB is requesting IGs to provide a qualitative assessment of the agency\xe2\x80\x99s certification and accreditation process, including adherence to existing policy, guidance, and standards. Agencies shall\nfollow NIST Special Publication 800-37, \xe2\x80\x9cGuide for the Security Certification and Accreditation of Federal Information Systems\xe2\x80\x9d (May, 2004) for certification and accreditation work initiated after May, 2004. This includes use of the FIPS 199 (February, 2004),\n\xe2\x80\x9cStandards for Security Categorization of Federal Information and Information Systems,\xe2\x80\x9d to determine an impact level, as well as associated NIST documents used as guidance for completing risk assessments and security plans .\n\n\n\n\n                                                             Assess the overall quality of the Department\'s certification and accreditation process.\n\n                                                             Response Categories:\n                                                                  - Excellent\n                                                                  - Good                                                                                                                 - Satisfactory\n                                                                  - Satisfactory\n                                                                  - Poor\n                                                                  - Failing\n\n\n\nComments: The overall OIG assessment of "Satisfactory" resulted from system owners\' inconsistent implementation of the GSA CIO\'s Certification and Accreditation (C&A) process developed in accordance with NIST SP 800-37 and FIPS 199. One contractor\nsystem was not given GSA procedural guides when developing C&A documentation and therefore the C&A documentation did not conform to GSA requirements. Security documentation for one general support system was not updated to address the reviewed\ncomponent.\n\n\n\n\n                                                                                                                                     A-4\n\x0c                                                                   Section B: Inspector General. Question 6, 7, 8, and 9.\n\n                                                                                        Agency Name:\n\n\n                                                                                         Question 6\n\n                        Is there an agency wide security configuration policy?\n       6.a.                                                                                                                                              Yes\n                        Yes or No.\n\n                        Comments: GSA\'s IT Security Policy requires all agency systems to use GSA technical guidelines, NIST guidelines, or industry best practices for purposes of\n                        security configuration and hardening.\n\n\n                        Configuration guides are available for the products listed below. Identify which software is addressed in the agency wide security configuration policy.\n       6.b.             Indicate whether or not any agency systems run the software. In addition, approximate the extent of implementation of the security configuration policy on\n                        the systems running the software.\n\n\n\n\n                                                                                                                            Approximate the extent of implementation of the security\n                                                                                                                            configuration policy on the systems running the software.\n\n                                                                                                                            Response choices include:\n                                                                                                                            - Rarely, or, on approximately 0-50% of the\n                                                                                                                              systems running this software\n           Product                                                                                                          - Sometimes, or on approximately 51-70% of\n                                                                                                                              the systems running this software\n                                                                                                                            - Frequently, or on approximately 71-80% of\n                                                                   Addressed in agencywide                                    the systems running this software\n                                                                           policy?             Do any agency systems        - Mostly, or on approximately 81-95% of the\n                                                                                                 run this software?           systems running this software\n                                                                                                                            - Almost Always, or on approximately 96-100% of the\n                                                                             Yes, No,                                       systems running this software\n                                                                              or N/A.                  Yes or No.\n                                                                                                                                  - Almost Always, or on approximately 96-100% of the\n              Windows XP Professional\n                                                                                 Yes                      Yes               systems running this software\n                                                                                                                                  - Almost Always, or on approximately 96-100% of the\n              Windows NT\n                                                                                 Yes                      Yes               systems running this software\n                                                                                                                                  - Almost Always, or on approximately 96-100% of the\n              Windows 2000 Professional\n                                                                                 Yes                      Yes               systems running this software\n                                                                                                                                  - Mostly, or on approximately 81-95% of the systems\n              Windows 2000 Server\n                                                                                 Yes                      Yes               running this software\n                                                                                                                                  - Almost Always, or on approximately 96-100% of the\n              Windows 2003 Server\n                                                                                 Yes                      Yes               systems running this software\n                                                                                                                                  - Mostly, or on approximately 81-95% of the systems\n              Solaris\n                                                                                 Yes                      Yes               running this software\n                                                                                                                                  - Almost Always, or on approximately 96-100% of the\n              HP-UX\n                                                                                 Yes                      Yes               systems running this software\n                                                                                                                                  - Sometimes, or on approximately 51-70% of the systems\n              Linux\n                                                                                 Yes                      Yes               running this software\n                                                                                                                                  - Almost Always, or on approximately 96-100% of the\n              Cisco Router IOS\n                                                                                 Yes                      Yes               systems running this software\n                                                                                                                                  - Rarely, or, on approximately 0-50% of the systems\n              Oracle\n                                                                                 Yes                      Yes               running this software\n              Other. Specify:\nComments: We performed vulnerability scanning on ten select systems including four contractor systems and six components of larger systems to determine the\ndegree of implementation of hardening guides. Audit determinations regarding the extent of hardening guide implementations are based on a sample of ten select\nsystems and may differ from agency responses due to different sample sizes. One contractor system had a Linux device with critical-level vulnerabilities indicating\nthat it had not been appropriately hardened. Review of Oracle database settings for two contractor systems showed numerous inconsistencies with the Agency\'s\nrecommended settings, indicating that the Oracle devices had not been hardened in accordance with GSA\'s IT security policy.\n\n\n\n\n                                                                                         Question 7\n\n\nIndicate whether or not the following policies and procedures are in place at your agency. If appropriate or necessary, include comments in the area provided below.\n\n                        The agency follows documented policies and procedures for identifying and reporting\n       7.a.             incidents internally.                                                                                                            Yes\n                        Yes or No.\n\n\n\n\n                                                                                              A-5\n\x0c                  The agency follows documented policies and procedures for external reporting to law\n      7.b.        enforcement authorities.                                                                                          Yes\n                  Yes or No.\n                  The agency follows defined procedures for reporting to the United States Computer\n      7.c.        Emergency Readiness Team (US-CERT). http://www.us-cert.gov                                                        Yes\n                  Yes or No.\nComments: The GSA-CIO has developed a procedural guide that outlines the policies and procedures for incident handling and reporting across the agency.\nIncident handling and reporting were generally consistent with this guide for the ten systems we reviewed.\n\n\n                                                                            Question 8\n\n                  Has the agency ensured security training and awareness of all employees, including\n                  contractors and those employees with significant IT security responsibilities?\n\n                  Response Choices include:\n                  - Rarely, or, approximately 0-50% of employees have sufficient training\n                                                                                                         - Almost Always, or approximately 96-100% of employees have\n        8          - Sometimes, or approximately 51-70% of employees have sufficient training\n                                                                                                        sufficient training\n                   - Frequently, or approximately 71-80% of employees have sufficient training\n                   - Mostly, or approximately 81-95% of employees have sufficient training\n                   - Almost Always, or approximately 96-100% of employees have sufficient training\n\n\n\n\n                                                                            Question 9\n\n\n\n                  Does the agency explain policies regarding peer-to-peer file sharing in IT security\n        9         awareness training, ethics training, or any other agency wide training?                                           Yes\n                  Yes or No.\n\n\n\n\n                                                                                  A-6\n\x0c                           FY 2006 OFFICE OF INSPECTOR GENERAL\n                           FISMA REVIEW OF GSA\xe2\x80\x99S INFORMATION\n                             TECHNOLOGY SECURITY PROGRAM\n                             REPORT NUMBER A060123/O/T/F06018\n\n TEN SYSTEMS REVIEWED BY THE OFFICE OF INSPECTOR GENERAL IN 2006\n\n     System                   Owner                                          Description\n                                                   e-Buy is GSA\'s latest acquisition tool and is designed primarily for\n                                                   the acquisition of services and/or large purchases. e-Buy is a\n      e-Buy\n                                                   system that allows agency buyers to post Requests For Quotes for a\n(Component of the      Federal Supply Service\n                                                   specified period of time for a wide range of products and services\n GSA Advantage!                (FSS)\n                                                   offered from Multiple Award Schedule contract vendors. e-Buy is\nMajor Application)\n                                                   a component of a contractor supported system categorized as\n                                                   moderate risk.\n                                                   USA Services/National Contact Center (NCC) responds to public\n                                                   inquiries seeking information on a wide range of government\n                      Office of Citizen Services   programs. The Government contracted out the operations of the\nUSA Services/NCC\n                        and Communications         NCC in 1990. In FY2003, the NCC responded to over 1.5 million\n(Major Application)\n                               (OCSC)              inquiries and took over 246,000 orders for consumer publications.\n                                                   USA Services/NCC is a contractor supported system categorized as\n                                                   low risk.\n   Data Gateway                                    Data Gateway establishes standard tools and allows for consistency\n  (Component of                                    and accuracy in data by enabling the electronic transfer of key\n                      Public Buildings Service\n  Realty Services                                  business information among a number of disparate systems. Data\n                               (PBS)\n  Enclave Major                                    Gateway is a component of an Agency system categorized as\n   Application)                                    moderate risk.\n                                                   Under the FEDdesk suite of services, GSA offers Federal agencies\n     FEDdesk\n                      Office of Chief Financial    fully automated and paperless transactions for time and attendance.\n(Component of PAR\n                           Officer (CFO)           FEDdesk is a component of a contractor supported system\n Major Application)\n                                                   categorized as moderate risk.\n  Region 6 VoIP                                    The Region 6 VoIP system resides on the Region 6 PBS LAN in\n  (Component of                                    Kansas City, MO and provides voice service and voice mail.\nRegion 6 PBS LAN       Heartland Region (R6)       Region 6 VoIP is a component of an Agency system categorized as\n General Support                                   moderate risk.\n     System)\n                                                   The Region 5 PBS LAN system provides both onsite and remote\n                                                   network access to the users of the Great Lakes Region\n                                                   Organizational Unit of the GSA Active Domain that enables them\nRegion 5 PBS LAN\n                                                   to perform their business line missions and support their customers\n (General Support     Great Lakes Region (R5)\n                                                   by accessing, viewing, creating and modifying Regional and\n     System)\n                                                   National non-classified data through local and Nationally\n                                                   maintained applications. Region 5 PBS LAN is an Agency system\n                                                   categorized as moderate risk.\n                                                   The purpose of the Region 5 FTS LAN system is to provide both\n                                                   onsite and remote network access to the users of the Great Lakes\nRegion 5 FTS LAN                                   Region Domain that enables them to perform their business line\n (General Support     Great Lakes Region (R5)      missions and support their customers by accessing, viewing,\n     System)                                       creating and modifying Regional and National non-classified data\n                                                   through local and Nationally maintained applications. Region 5\n                                                   FTS LAN is an Agency system categorized as moderate risk.\n                                                   The RAS is GSA\xe2\x80\x99s private remote access network infrastructure\n        RAS                                        offering remote network connectivity to all GSA associates and\n  (Component of                                    partners nationwide. The RAS Infrastructure supports several\n                          Office of the Chief\n     Enterprise                                    remote access technologies including: 56kbps Dial-up, Integrated\n                         Information Officer\n   Infrastructure                                  Services Digital Network (ISDN) at 128kbps, High Speed Access\n                                (CIO)\nOperations General                                 using Virtual Private Network (VPN), and GSA private Enterprise\n Support System)                                   Digital Service Link (eDSL). RAS is a component of an Agency\n                                                   system categorized as moderate risk.\n\n                                                       B-1\n\x0c     System                   Owner                                         Description\n                                                  NSOBS/TOPS automates the local service and long distance\n                                                  business processes including ordering, billing and reconciliation of\n                                                  telecommunications services. The benefits of this project include\n                        Federal Technology        minimization of paperwork, processing speed, and ensuring\n  NSOBS/TOPS\n                              Service             customer satisfaction.      It supports all Government agency\n(Major Application)\n                               (FTS)              customers with telecommunications inventory management, on-\n                                                  line ordering, and on-line access to account information.\n                                                  NSOBS/TOPS is a contractor supported system categorized as\n                                                  moderate risk.\n     OA Tool                                      The Occupancy Agreement Tool (OA Tool) is used by Realty\n  (Component of                                   Specialists responsible for obtaining space for PBS customers. The\n                      Public Buildings Services\n  Realty Services                                 OA Tool interacts with STAR to provide readiness, occupancy\n                               (PBS)\n  Enclave Major                                   agreement, and billing information. OA Tool is a component of an\n   Application)                                   Agency system categorized as moderate risk.\n\n\n\n\n                                                      B-2\n\x0c                            FY 2006 OFFICE OF INSPECTOR GENERAL\n                            FISMA REVIEW OF GSA\xe2\x80\x99S INFORMATION\n                              TECHNOLOGY SECURITY PROGRAM\n                              REPORT NUMBER A060123/O/T/F06018\n\n          STATUS OF CONTRACTOR BACKGROUND INVESTIGATIONS FOR\n                             TEN SYSTEMS\n\n\n                                                         GSA         GSA\n                                         GSA          Required     Required\n                                       Required        NACIC        NACIC\n                           Number       NACIC        Background   Background\n       System                Of       Background Investigations Investigations\n                          Contractor Investigations Requested But     Not\n                                                 7\n                          Personnel   Completed     Not Completed  Requested\n         e-Buy8                  94                   12                      82                      0\n\n    USA Services/NCC             5                    0                       0                       5\n\n\n      Data Gateway               5                    1                       2                       2\n\n\n        FEDdesk                  7                    6                       1                       0\n\n     Region 6 VoIP9              0                    0                       0                       0\n\n    Region 5 PBS LAN             22                   7                       15                      0\n\n\n    Region 5 FTS LAN             4                    0                       3                       1\n\n\n          RAS                    10                   4                       6                       0\n\n      NSOBS/TOPS                 7                    7                       0                       0\n\n        OA Tool                  23                   9                       6                       8\n\n\n\n\n7\n  Column includes completed NACIC (National Agency Check with Inquiries Credit), DOD Top Secret Clearance,\nMBI, and LBI investigations.\n8\n  The ISSO for e-Buy did not identify contractor support personnel for one company supporting the system, and did\nnot confirm whether NACIC background investigations had been requested.\n9\n  Region 6 VoIP was the only system in our sample not supported by contractor personnel.\n                                                      C-1\n\x0c   FY 2006 OFFICE OF INSPECTOR GENERAL\n   FISMA REVIEW OF GSA\xe2\x80\x99S INFORMATION\n     TECHNOLOGY SECURITY PROGRAM\n     REPORT NUMBER A060123/O/T/F06018\n\nGSA-CIO\xe2\x80\x99S RESPONSE TO DRAFT AUDIT REPORT\n\n\n\n\n                   D-1\n\x0c                                  FY 2006 OFFICE OF INSPECTOR GENERAL\n                                  FISMA REVIEW OF GSA\xe2\x80\x99S INFORMATION\n                                    TECHNOLOGY SECURITY PROGRAM\n                                    REPORT NUMBER A060123/O/T/F06018\n\n                                               REPORT DISTRIBUTION\n\n                                                                                                                              Copies\n\nOffice of the Chief Information Officer (I)..................................................................................3\n\nOffice of the Chief Financial Officer (B) ....................................................................................2\n\n                                                                                                               Electronic Copies\n\nOffice of the CFO Chief Information Officer (BD).....................................................................1\n\nOffice of the FAS Chief Information Officer (TH) .....................................................................1\n\nOffice of the PBS Chief Information Officer (PGA)...................................................................1\n\nOffice of the CSC Chief Information Officer (XCI) ...................................................................1\n\nGreat Lakes Region 5 (5A) ..........................................................................................................1\n\nHeartland Region 6 (6A)..............................................................................................................1\n\nAudit Follow-up and Evaluation Branch (BECA).......................................................................1\n\nAssistant Inspector General for Auditing (JA) ............................................................................2\n\nAudit Operations Staff (JAO) ......................................................................................................1\n\nDeputy Assistant Inspector General for Finance and Administrative Audits (JA-F) ..................1\n\nDeputy Assistant Inspector General for Real Property Audits (JA-R) ........................................1\n\nDeputy Assistant Inspector General for Acquisition Audits (JA-A) ...........................................1\n\nRegional Inspector General for Auditing (JA-5 and JA-6)..........................................................2\n\nAdministration and Data Systems Staff (JAS).............................................................................1\n\nAssistant Inspector General for Investigations (JI)......................................................................1\n\nRegional Inspector General for Investigations (JI-5 and JI-6).....................................................2\n\n\n\n\n                                                                  E-1\n\x0c'